1. Technical Field
The present invention relates to network security, and more particularly, to security planning with soft security constraints.
2. Discussion of the Related Art
A workflow is a set of components (e.g., software, etc.) connected by secure communication channels. It is noted that a secure channel restriction can be removed by modeling insecure channels as a component. Each component can have a number of input and output ports. Channels establish connections between output and input ports, with each channel delivering objects from an output to an input port. When a workflow is executed, objects (e.g., data in digital format, if software components are considered) are sent between the components through the communication channels. During execution, some objects may enter the workflow through input channels, and some objects may leave the workflow through output channels.
Objects or components may contain confidential information that must be protected. Security risks in this scenario correspond to the risk of making confidential information known to parties that are not authorized access thereto. It is noted that workflow satisfies a goal if the output of the workflow conforms to a set of specifications associated with the goal. Part of the goal can include a specification of risk management requirements such as a minimum risk requirement or a bound value that limits the maximum risk associated with the constructed workflow.
The use of planning methods for constructing workflows together with security risk estimation models enables flexible risk management. For example, if the risk of executing a workflow is estimated, appropriate risk mitigation measures can be selected and used. Automatic planning methods enable fast reaction to changes such as changes in security policy, access authorization of principals or changes in object sensitivity. The same methods that were used to initially construct or configure workflows to satisfy risk management goals can be applied to modify workflows to satisfy security requirements under changing conditions. Automatic planning can be used to configure software products on demand, ensuring that the resulting configuration satisfies security risk constraints imposed by a security policy.
Security requirements expressed in the goal specification can include both hard and soft security constraints. Hard security constraints such as the Bell-LaPadula mandatory access control policy require the sensitivity of a workflow output to be limited by an access class specified in the goal expression of the workflow. Soft constraints allow this restriction to be relaxed by replacing it with a method for estimating risk associated with workflow execution and establishing access policies that are based on the risk estimate and may require the use of risk mitigation measures specific for varying risk levels as well as established bounds on the maximum allowed risk.
For practical implementation of security risk management through planning it is necessary to choose a model for security risk assessment, and to define a corresponding planning domain model. The planning domain model describes components, workflow inputs, goal requirements and other elements of a workflow planning task by using concepts, data structures, and a representation language that can be recognized by an automatic planner. The planning domain model must guarantee that the plans constructed by an automatic planner according to the constraints of the domain model and goal requirements can be translated to workflow configurations that satisfy the security risk requirements.